SmartVPS - the complete multi-account hosting solution! Each individual account comes with free backups, addon domains, PHP-FPM with OPcache and server-side caching for lightning-fast sites. And all this at a great price!

Mar 3, 2020

All Let's Encrypt Certificates Affected by the CAA Rechecking Bug Have Been Reissued

On February 29, 2020, Let’s Encrypt found a bug in their Certificate Authority Authorization (CAA) code related to their CA software called Boulder. Over three million certificates issued by Let's Encrypt were affected. The bug itself, as per the official 2020.02.29 CAA Rechecking Bug thread, was:

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

All hosting plans we offer include free SSL certificates by Let's Encrypt, and a lot of our customers use them, which meant that many websites would be affected.

At ICDSoft we take such issues very seriously, and our team took immediate action. We checked for any affected certificates on our servers in order to reissue them accordingly. There were 128 SSL certificates that had been affected by the CAA rechecking bug, and they have all been successfully reissued. As a result, no customer of ICDSoft experienced any SSL-related issues caused by this bug and the subsequent revocation by Let's Encrypt of all affected certificates.